RE: [ActiveDir] LDAP export pros/cons

[Robert N. Leali]

Title: RE: [ActiveDir] LDAP export pros/cons

I understand what you are saying and agree.  On the same topic, what do you suggest is the best practice for having users authenticate to a third party web portal. Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution.   The only thing we are trying to do is to allow our users to log into the third party web portal without having to learn an additional user name & password.  I do not want to give out any more information than that about my users.

 

Thanks for the quick responses.

 

R- 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, January 20, 2005 2:27 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] LDAP export pros/cons

not sure there are any documented risks.  Risks being relational to the entity taking them.

 

However, as a disinterested third party I'd have to point out that the risk is not technical in nature but rather about the information you're sharing.  I suppose the information you give out is far mare important to the conversation, but it seems you don't know these folks nor trust them really.  If that's the case, then it's possible you could be giving out the account information to a non-trusted source. 

 

The questions you need to ask are "what can they do with the information I provide and can I take any action to protect myself?"

 

Some folks wouldn't have a problem giving out that information.  Others would.  You'll need to assess that risk based on the information you plan to give out.

 

Email addresses are a unique identifier by the way.  And usually public knowledge.

---

From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Thursday, January 20, 2005 3:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP export pros/cons

That's correct.  Looking for risks associated ....

---

From: [EMAIL PROTECTED] on behalf of Mulnick, Al
Sent: Thu 1/20/2005 2:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] LDAP export pros/cons

Are you looking for risks associated with giving your directory away to a
semi-trusted third party?  Did I paraphrase that correctly?

Al

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Robert N. Leali
Sent: Thursday, January 20, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP export pros/cons

Can someone point me to a white paper or article that gives the pros and
cons and security implications of allowing a semi-trusted third-party to
access our AD with an LDAP export to an RSA server?

We are being asked to allow our users to authenticate to a third party web
portal using their current Windows 2003 AD accounts.  The third party wants
an LDAP export to their RSA server and  an account that has appropriate
access to allow authentication to the AD box.  This is in an extra-net
environment.

Any guidance or advice would be appreciated.

Robert
----
The information contained in this e-mail transmittal, including any attached
document(s) is confidential. The information is intended only for the use of
the named recipient. If you are not the named recipient, you are hereby
notified that any use, disclosure, copying, or distribution of the contents
hereof is strictly prohibited.

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/